Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Craig Linton - Cyber & Technology Product Lead and Underwriting Manager at Beazley
133 Plays11 months ago
We're joined by Craig Linton - Cyber and Technology Product Lead and Underwriting Manager at Beazley - on this episode. We cover Craig's background, what he's leading at Beazley, cyber applications, and a lot of AI. Make sure to connect with Craig on LinkedIn!
Recommended
Transcript
Introduction and Guest Background
00:00:19
Speaker
Welcome to the InsuresEC Podcast. You have your two hosts, myself, Ryan Dunn and Abe Gibson. And today we have a special guest, Mr. Craig Linton.
00:00:32
Speaker
He is a leader over at Beasley, specialized in cyber for quite some time. And we're super excited to have him on. He's a voice of reason in the cyber insurance world. And he is an expert in many facets around the cyber insurance world. And hopefully we'll be able to dig into a few of them on this episode. But Craig, great to have you on.
00:00:58
Speaker
if you want to introduce yourself to our listeners and just start with, you know, maybe as Abe always says, you know, where mom and dad met and go from there or, you know, who you like to. Thanks, Ryan. And thank you, Abe, for inviting me to share on this podcast. Yeah, so I'm Craig Linton.
Craig's Career Journey
00:01:19
Speaker
I'm the cyber and tech product lead at Beasley. And what that means is I work on a lot of different things.
00:01:28
Speaker
A lot of its strategy around our cyber and tech product, what we're going to do, how we're going to risk select, whether it's through applications or scanning, developing our applications. I love doing that. Refreshing our policy, adding endorsements, doing other thinking about how we can give better tools to underwriters to do their job, and also helping craft the underwriting guidelines based on emerging trends, new claims, and stuff like that.
00:01:57
Speaker
So that's kind of like where I am now. And I've been at Beasley for about seven years now, but not continuously. So I joined Beasley in 2015. Before that, I was a lawyer in private practice and I was immediately prior to joining Beasley, I had practice for about four years doing insurance coverage law. So that's kind of how I got into insurance. I joined a firm.
00:02:26
Speaker
that was doing litigation and they happened to be doing also insurance coverage litigation. And I really liked that. It was a lot of fun. We did a little bit of work for Beasley and some other carriers. So got to come in-house, I guess you could say, and work on our claims team. So I did that for about four years. That was my first real taste of cyber and tech claims. And did that for four years, left, went to another insurance carrier to do
00:02:55
Speaker
to run their cyber product and that was a large domestic carrier and that was probably the best worst decision I had made because I got to learn something new and I got to deal with new people and this other carrier gave me a real chance to learn how to do the product side after having come from the claim side and unfortunately,
00:03:25
Speaker
Like they were going through some business, they went through an acquisition and there were a lot of people who were leaving and everybody who I had joined to come work with, they had decided to leave. And so I reached back out to Beasley and I said, hey, do you have any positions open?
Focus on Ransomware and Underwriting at Beasley
00:03:41
Speaker
And eventually one came open for their underwriting, in their underwriting management division, which is the part of the, it's the division that I'm part of. And everything, you know, we were working on
00:03:54
Speaker
uh, when I joined in 2021, January 2021, um, we started working on how to respond to ransomware, how to get the, uh, the book back to where it needed to be. And so for about, what is it? One, two, three, so three years. Uh, sorry. Um, I've been, I've been working on ensuring that our book is profitable through, um, you know, lots of different, lots of different means. So that's,
00:04:22
Speaker
That's how I came to be in this industry. I love working at Beasley. I'm not just saying that because there's somebody from marketing who will probably listen to this podcast. I do love this company, and I believe Beasley Pink, and I think it's a great place to work.
00:04:41
Speaker
Yeah, that's awesome. So what
Evolution of Cyber Insurance
00:04:43
Speaker
a time to, what a time to join back 2021. Um, yeah, but also like you, it seems like you've been in the cyber insurance industry for, I mean, a relatively long time, given how young it is, like you were kind of there in the beginning.
00:05:02
Speaker
Yeah, in cyber years, which is kind of like dog years, I guess. Joining cyber in 2015 makes me kind of ancient. Actually, I was introducing a colleague who was doing a training, and I wanted to show how much experience she had, because we have a lot of new underwriters, and she was teaching them things about Tekino, and so I looked her up on LinkedIn. And it turns out she had started as a Tekino underwriter in 2007.
00:05:30
Speaker
And so I said, I was like, everybody listen up. Our colleague here, she started underwriting in 2007. That's before the iPhone came out. That's how long ago it was. So we have, that's another great thing about Beasley is we have colleagues who just have a great, like great colleagues who have, who have a lot of depth of experience. And like me joining in 2015, I may be old in cyber years, but there are a lot of people who have a lot more experience, which is, it's really great to
00:06:00
Speaker
And didn't, didn't Beasley spearhead tech, you know, am I remembering that correctly?
Creating Insurance Applications
00:06:06
Speaker
I mean, if they did, it would have been like before the cyber, before insurance was even an idea of what I wanted to do with my, my career. Um, as far as I've been at Beasley, it's always been around. So, you know, as far as I know, like tech, you know, started out when every other insurance lines started out. Well, at least 2007. Yeah, at least.
00:06:26
Speaker
Well, she had started at a different carrier, but I'm sure that, yeah. I mean, Beasley's been doing this for a long time.
00:06:34
Speaker
That's wild 2007. I mean, yeah, I always, uh, you know, when I try to explain, uh, cyber insurance to, uh, people that, you know, or, or, you know, let's just say their insurance understanding is Geico. Right. Um, I typically use like, Hey, you know, would you rather lose your phone or your wallet type of a scenario?
00:06:58
Speaker
Um, and they realized like, damn, I really can't live without my phone. Um, and the fact that we were in flip phones and the Motorola at that time, it's like, you know, that scenario doesn't work in 2007 really. So pretty wild. Someone like that has had, has had the opportunity to see like the full evolution of everything that now matters in tech, you know? Um, and I think that's, that's a, that's an incredible perspective to have.
00:07:24
Speaker
Yeah. Did they write it? Did they write policies in hieroglyphics then too, or? I mean, they were probably doing it in London, so they might've been going in crayon. I've seen when I was an attorney in private practice and we would get some of these policies. Now granted, they weren't cyber policies, but they were policies that were written in London and literally they were written in London. Like there was one exclusion written on a policy that was like written in pencil, like in the margin. And that was the exclusion that we had to rely on.
00:07:53
Speaker
And it was kind of a war and confiscation exclusion. And that was an eye-opener for how things are done in London versus in the United States. It's very, we file the policy. We stick to that. And we're very strict on issuing policies. Whereas in London, things are more loosey-goosey. And that makes it all fun.
00:08:18
Speaker
Yeah. So you mentioned something in the, in the intro about, um, applications and that's, um, I mean, we could probably have like a five hour podcast just on applications with, with, uh, with us through on here. Uh, I I'm curious from your perspective, obviously having influence on applications and this, you know, being a part of your day-to-day process, assessing applications.
00:08:48
Speaker
Take us through the thought process on how those are created. What's the driving force behind the question selection? And is there any sort of standard that you're using or is it more reactive to what you're seeing take place in the real world? So, wow. It's a loaded question. Yeah, this is only in our podcast.
00:09:15
Speaker
So there are, first off, there are, we recently redid, revised our cyber applications. So we did that earlier this year around, I want to say March is when we released it, March or April. And we really retooled it from the ground up and wanted to make sure that it was now fit for purpose.
00:09:39
Speaker
It asked the right questions. It didn't ask too many questions. It didn't ask too few questions. It asked the questions in the right areas. It asked the questions in the right ways. There are so many things to think about when you're putting together an insurance application. And I also want to say that while I could probably say I spearheaded it and I shepherded the process and made a lot of the key decisions, there were a lot of other people who were involved in the process. And I guess talking about those other people
00:10:08
Speaker
can kind of give you an insight into how that process works. But when I sat down to write the launch email, to launch it to our underwriters, I sat down and thought through who all helped with this process. And I just wanted to list their names and acknowledge them because I didn't want this to look like a one-man show.
00:10:31
Speaker
After I was done listing all their names, I counted them up and there were about 50 different people who made meaningful contributions to our application process. And so that first we have like the cybersecurity folks. We have some really sharp, really awesome
Challenges in Designing Insurance Applications
00:10:48
Speaker
cybersecurity folks. There's one individual in particular, his name is Devon Defritus and he started out at Beasley working in our IT department.
00:10:58
Speaker
And he was like the help desk guy. And so if anything happened to your computer, you would call Devon over. This is back when we were in the office. And he would look at your computer, and then he would just recite from memory the steps you would need to take to solve the problem on your computer. And it was just uncanny. I think the business realized real quick that he was a very sharp guy. And now he's one of our client experience
00:11:29
Speaker
team members, but he knows so much about cybersecurity and knows so much about cybersecurity in a practical way. And so he helped me review a lot of the questions. We had some underwriters help me review a lot of the questions and say, okay, this question is going to work for this size policyholder, but it won't be a question that a smaller policyholder will be able to answer. And we've actually bifurcated our insurance application so that it's
00:11:58
Speaker
There's an under 250 application, under 250 million in revenues, and there's an over 250 million in revenues application. So they helped me understand that. We use some outside consultants to put together the data science that underpins the questions and how they're scored and how we view at the end of the day how those applications get scored and become part of our underwriting process. We have a team, the IT team takes
00:12:28
Speaker
They built an application. They built the process to allow us to ingest the applications in a way that we can easily and automatically score them. There are so many layers of process and help and thought that go into these applications. But at the end of the day, we're looking to build an application that covers a lot of the bases, covers all the bases, ideally. Not too long, not too short.
00:12:57
Speaker
It asks questions that can be answered by the vast majority of policyholders. That's one of the really tough ones. Because you have to, you can't assume that every policyholder is going to have, say, remote access to their network. And so you have to say, OK, if you ask the question about do they have multi-factor authentication for remote access, you have to think about, well, some are going to say yes, some are going to say no.
00:13:25
Speaker
But some are going to say, we don't even have remote access. So you have to have that answer option because that is actually more secure than having MFA at all. So thinking through those questions, making sure you have questions on network security, email security, backup strategy, incident response, endpoint security, having all those things together. And then working with the data science team to make sure
00:13:53
Speaker
if you ask those questions that you are still getting enough information, even when you're paring it down, because we had a much longer application before we'd launched this new application. But to make sure that you're still asking enough questions, that you will be able to risk select in a very effective way. So that's what we did. That's kind of the pulling back the curtain a little bit. I wish I could talk about, there's tons of proprietary things that I wish I could tell you about how our application works. And it's really whiz bang.
00:14:23
Speaker
all the cool stuff that our data science team does. But yeah, unfortunately, you'd have to come join Beasley. And then I could, then I could, if you were a Beasley employee, then we could really nerd out, but. This is when you'd miss everybody for joining Beasley. Yeah, exactly. Exactly. It's a great company to work for. Hey, come work for it. You can learn all the secrets as well. Yeah.
00:14:43
Speaker
He literally just put the seekers behind a paywall within the room. It's a reverse paywall. You come join easily. We'll pay you. We'll pay you. That's amazing. I love it. We talk about applications so much here at Insure, Psych, and Scenario Cyber.
00:15:08
Speaker
It's a conversation that we are super passionate about. I've been, you know, even prior to this, when I was at Trava, it was something that we discussed a lot. You know, I've seen applications evolve over time, you know, from asking the AIG five questions back in 2016, like kind of what you were alluding to in 2015.
00:15:30
Speaker
all the way to now. But something that I've been somewhat adamant on, and I think Abe is alongside of me in this statement, is we think that a lot of these applications still lack a lot of context around each control segment.
00:15:49
Speaker
And I'm curious if you see any type of evolution coming to applications that you can share with us. Like, hey, is it going to be still yes, no questions? Or do you see validation coming into play, like with MFA or EDR or MDR or like, hey, who's your 24 seven socks, stuff like that. Do you see, you know, any evolution around that stuff that you can share or is that still proprietary that you. So I,
00:16:20
Speaker
I would like to see it. I'll say that. I would like to see, you know, I think the holy grail in this industry is getting the like inside the firewall information because applications can only go so far. You can only ask so many questions and you can only really rely on them so much. We know that when we ask questions, when any insurance carrier ask questions, they're not always going to be correct or there's going to be like a yeah, but, and you might not always get the, but you'll just get the yeah.
00:16:50
Speaker
So we know that that inside the firewall scanning and that kind of more technical being able to pull things out of a policy holder or an applicant, if they're not already a policy holder, that is something that I'd like to see.
Brokers' Roles and Legal Complexities
00:17:07
Speaker
I don't think anyone has mastered it yet. And I think it's a very tough sell. It's something that in the under, it's an underwriting process issue because if you as an underwriter,
00:17:20
Speaker
You get a submission, you say, OK, just install this agent in your network. I think the broker will most likely come back to you and say, yeah, no, thanks. We're already bound with your competitor. And so it's a difficult opportunity to take hold of, especially as I think we're entering a softer market. It's something that is becoming less and less attainable. It's more difficult to attain now.
00:17:49
Speaker
than it was maybe in the hard market. Not that anybody really succeeded in the hard market either. So I know there are companies out there that do it, that pitch us. And I think that there's some promise there. I think it's just going to be really difficult. Yeah. I used to pitch carriers and MGA's on it from the Travis side.
00:18:14
Speaker
My, my theory is the only person that's able to sell it is the broker and so you have to align with the broker and back into the carrier. And what but you know there's a few missing factors for the broker to be effective there that we haven't been able to see yet. I think you might be able to see it in hard to write industries or middle market.
00:18:35
Speaker
Yeah. Because even if we're in a soft market, they're in a perpetual hard market, right? Yeah. So a big piece of that is pro-activeness on the underwriting piece that I think 99% of agents are still lacking.
00:18:55
Speaker
If you're able to go in there six months, five months ahead of time, I think you'll be able to get some inside out underwriting. And then the agent should be the controller of that information and distribute it to the carrier from there. I don't think it should be a direct connection from carrier to insured. Yeah, that's what everybody's fighting over. I think every broker wants to be the gatekeeper and every carrier wants to have the direct link. And I think there's going to be a fight over that.
00:19:26
Speaker
I'm not sure who will win. I think ultimately the winner will be the one who has the best technology and has the best way to streamline that. But yeah, that's a fight. And we definitely want to have a piece of that. And I know that you guys want to have a piece of that. So we'll see. I think there's opportunities for collaboration. And I think ultimately it may be a collaborative effort using
00:19:55
Speaker
APIs and getting everybody on the same page with maybe an industry standard, that's what's really going to advance the ball.
00:20:04
Speaker
There's, so this, you, you don't have to answer this with, uh, official legal advice here, but what a way to preface a question. Um, I, one of the, so as scenario cyber, we like from inception had the ability to do inside out scanning and we were using it in the wild on a few submissions.
00:20:28
Speaker
And we quickly found that, and this kind of depends on what, you know, what you're using to scan, but a lot of it is just kind of tweaked cybersecurity software that you're, you know, it's really looking for vulnerabilities. So we're essentially just handing underwriters a bunch of vulnerability data that they don't really even understand what it means. Additionally, I just, I felt like, okay, I'm,
00:20:52
Speaker
I'm a broker, I have access to this data. If the results are bad and I don't share that, does that open me up to any sort of liability with a carrier for withholding information? And then additionally, just possessing this vulnerability data that's not mine just doesn't seem like something that I want to do.
00:21:14
Speaker
That's a great question, Abe. Next question. No, that is a great question. You should ask a lawyer who specializes in that. I think as far as issue spotting goes, that's an interesting issue. And I hadn't thought of that because I'm not being a broker. I hadn't been thinking about gathering data that I didn't then disclose to the carrier.
00:21:44
Speaker
This is not legal advice, but in my previous role as an attorney, so in marine insurance, there is this doctrine, and I think it's only marine insurance, and I hope I'm pronouncing this correctly. It's uberame fidei, and it's like some Latin term that means the utmost fidelity. It means that the policyholder has an obligation to
00:22:14
Speaker
disclose all material facts to the carrier in advance of a policy being underwritten. So whether the carrier asks about it in an application or not, if there's a material fact that needs to be disclosed, then that doctrine says it has to be disclosed. Otherwise, you face issues like rescission, or you face claim denial issues. Again, this has nothing to do with cyber insurance. As far as I know, this only applies to
00:22:43
Speaker
to maritime, excuse me, not maritime, marine insurance. And I'm not even really sure that it really applies anymore. There's more talk of the doctrine than I think I actually saw application of that doctrine. So, you know, what's the answer to your question? I don't know. In other contexts, there may be some kind of responsibility because the broker is obviously the agent for the policyholder. So,
00:23:13
Speaker
there's that, but I don't think I can give you an answer. I just think it's an interesting question. I think you should probably call up your lawyer and spend a thousand bucks an hour to have that person figure it out and tell you, well, we don't
Standardization of Cyber Insurance Applications
00:23:26
Speaker
know. At the end of the day, the lawyer is probably gonna say, well, it depends and we don't know.
00:23:30
Speaker
Um, they'll send you a large bill later. Yeah. Yeah. I just, I don't feel like I'm at a point right now where I want to be the, the guinea pig. So I'll just let somebody else figure that out. Let somebody else, uh, either be successful in defending a lawsuit or, uh, uh, get tagged with lawsuit and lose. And then, uh, you'll know what your responsibilities are. It's such a, it's such a good point in question. Like I, my brain is spinning right now on it. Like, um,
00:24:00
Speaker
If the carrier doesn't have the data science right now to ingest that data, why even do it until you have that data science built? It's a chicken or the egg type of thing. Yeah, it is a chicken or the egg. Right now, we ingest a lot of data from our application. We also do external scanning. I think a lot of other, pretty sure every other carrier does external scanning. But what you do with that data,
00:24:30
Speaker
that you got to figure out, OK, if you see an open port, what are you going to do? How are you going to handle that? And how are you going to handle things you might have found on the dark web or credentials that were leaked? How do you weigh that in your underwriting? And fortunately, we have a data science team who will be very happy to do the analysis and tell us. But that's something that everyone has to tackle.
00:25:02
Speaker
Here's kind of a question that's just a little bit more theoretical. So one of the other things that I'm really passionate about is NIST. The NIST framework. The NIST CSF framework.
00:25:17
Speaker
I have kind of like a theory. So there's two applications that I would say in the marketplace are the most comprehensive in the ones that I recommend the most. They would be Beasley's application and Tokyo Marine. I'd say that you're not saying that just because, but okay. Yeah, that's been for us, you know, a good amount of time. I feel like Beasley and Tokyo Marine.
00:25:39
Speaker
Those are, those are my top two, um, just because they're the most thorough and I don't get a ton of follow up questions. I just try to avoid that too. Um, but anyways, I've, I've kind of thought if, if there was a version of a cyber accord that we may be all agreed upon, like, Hey, these are the questions that we're going to ask. Could we then have better data on the backend because we have a universal standard that we're underwriting to?
00:26:11
Speaker
Yes, but no, I think that's the answer because like the first step that yeah, getting like a cyber accord where everybody's filling out the same application. So every carrier is getting the same amount of data and we're then able to, it's like, it's all about how we underwrite. It's not necessarily about what information that we have or even how we ask the question. I think on the one hand that does cause that will,
00:26:38
Speaker
that cause the underwriting to become the thing that really, really matters above and beyond everything else. But that means that there's basically no innovation on the form, on the application. And I think we have tried some things on our application that, hey, you know, like this question, yeah, we added it and we really like it. We really like the way it's giving us some signal. There are other questions that
00:27:08
Speaker
we put in, we realize maybe they're more difficult for policy holders to answer, or maybe they don't provide as much signal to noise as we would want. So I think the problem with having an accord form, one standard form, is just that we would not have the innovation that we've seen. Now maybe in the next 20 years, we'll all settle on some, we'll eventually settle on
00:27:36
Speaker
a standard application, but yeah, I don't think that's coming anytime soon. That's going to be at the end of our careers if it comes at all, I think. Yeah. Yeah. I mean, I guess, I guess the way we kind of do have it, but I mean, I can use a Beasley or Tokyo Marine app and I don't have to get, you know, the carriers for most carriers, I don't have to get their application filled out. They'll, they'll accept it. Yeah. Like we try,
00:28:05
Speaker
We look at other carriers' applications, and we see where there's overlap. And we take that into account when we're writing an account. We take that into an account when we're drafting our applications. And there is a lot of overlap. Now, I will tell you that when we first came out with our ransomware supplemental application, there were a lot of applications that came out later that looked a lot like our application. So there is a bit of a...
00:28:35
Speaker
And I don't have a problem with that. I love that if people see something that good that's happening in the industry, then they should go for it. I mean, they should go for it and copy it. And I think that's great. Not even just applications. I've seen policies that I'm like, you didn't even change the font. Come on, guys. Yeah, I'm not going to name names, but I know there are some policies out there that probably have the same mistakes that our policy has.
00:29:04
Speaker
Not that it has any mistakes, but if there were a mistake in our policy that there would be a mistake in their policy too.
00:29:18
Speaker
Because, I mean, basically what Abe was saying there is like, we kind of already have it. I mean, it seems like it's informal that we have somewhat of a universal app right now. And that's kind of just the, you know, a Beasley Tokyo Marine app is kind of informally the universal app. And
00:29:36
Speaker
But it seems like this is somewhat of a universal thing because we use a lot of ENS markets right in the cyber world because of the dynamic ability and having an informal universal app creates dynamic as well. If we just had a standard form, think about how many yeses we'd have to get for a new standard app to get released. That would take forever.
00:30:05
Speaker
Um, and so it seems like the informal is the most dynamic and the only way to move forward. Yeah, I can tell you, I mean, in putting together our application, um, there are a lot of different opinions and there we have just a ton of smart people at Beasley. So like, if you ask somebody, what do you think about this question? You might get, if you ask five different people, you're going to get five different answers. And that's not because like,
00:30:31
Speaker
We don't agree on anything. It's just because we all have different perspectives and we all bring something to the table. And I think if you try to do that, not just internal to a company, but if you try to do that across an industry, you're just going to have so many people have so many different opinions about, about things. And it may be, may be different depending on, you know, what their portfolio looks like and, you know, how much they care about one thing versus another thing.
Emerging Risks and Technological Change
00:30:53
Speaker
And so, um, very hard, I think, to, to standardize on, on questions like,
00:31:00
Speaker
perfectly standardized, even if you look at our competitors' applications and compare them to our, while there is a lot of overlap, there are questions that don't overlap. There's a lot of questions that don't overlap. So we're still a long way from that. I think there's some core questions that a lot of people, not just in insurance, but cybersecurity in general have agreed are important, but there are other questions that, a lot of questions that we differ on.
00:31:28
Speaker
So obviously we use applications to assess a risk of an organization. How do you envision these kind of emerging risks like pixels? How do you envision we're going to approach something like this? So there's several ways to approach pixels.
00:31:59
Speaker
They're on every darn website. We're recording this on Zencaster and I have my little ghostery plug and it says there are six tracking pixels paying attention to what we're doing right now. Of course, tracking pixels are on pretty much every website in the world. That is something where scanning can be done and you can look at and
00:32:28
Speaker
you could scrape the every web page, but you could go to every domain and scrape them. There's actually a tool called the Blacklight by this news organization called the Markup. You can put in a domain and it will come back with a report of, we'll hear all the pixels and here's what they look like in terms of ad trackers versus session replay and a few other metrics.
00:32:58
Speaker
So I think that's one way that we can look at the use of tracking pixels. But I think the more important, I mean, figuring out what tracking pixels are on a website is dead simple. Anybody can do it. The markup does it for you. It's the question of what's going to happen legally. What's going to happen in the legal landscape?
00:33:26
Speaker
several settlements against hospitals that have been using tracking pixels, some of them inside their patient portal. We've seen the Office for Civil Rights enforcing the HIPAA Privacy Rule. They just almost a year ago now that they came out with a bulletin about how tracking pixels should or really shouldn't be used on hospital websites or other healthcare websites.
00:33:55
Speaker
You know, a lot of the major questions about how tracking pixels are used have yet to be settled. And the courts have been, I think, pretty inconsistent and maybe a little bit unpredictable in how they will treat this data. Some of them kind of look the other way and say, that's not a big deal. You know, you probably clicked something on your way into the website that gave them the permission to do it. And it's not a big deal anyway.
00:34:22
Speaker
versus some courts look at this and say, well, this is health data. And this has kind of an ick factor to it. And when I practice as an attorney, yeah, the law matters, but really the facts matter. You can say, OK, this is what the law is. But if the facts are really bad for you, chances are you're going to lose, even if the law seems to be good for you. Because the judges are human, too.
00:34:50
Speaker
find a way to look at your case in a way that disadvantages you from a legal perspective. So I think there's a lot more to come on tracking pixels. I think that things have to play out from a legal perspective. And then we'll really know, is this something that we can ensure against? How do we evaluate our policyholders compliance with the law, whatever the law ends up being?
00:35:19
Speaker
So I think it's a wait and see, take a bit of a wait and see approach to that. And I mean, on top of it, I think it's a potential financial risk from a book profitability. I mean, if there's a data exposure, I mean, they're tracking, they have all this data that they, I mean, data hoarders is what we were calling it on our previous episode with Violet.
00:35:47
Speaker
Every company has so much data that they just don't need. Yes now see I Was saying back in the day back in like 2015 when data data was the the big issue before ransomware took everything off our plates But I was you know, everybody's saying data is the new gold and I was like no no No, like data is the new toxic waste like you don't realize how keeping this stuff around can really harm you like yeah, you can like refine it to
00:36:16
Speaker
get something good out of it, but you also need to be worried about how having all this data can really, you know, especially if you don't need it, it can really be a liability. So that's something that I don't think that I think that's kind of a problem that needs to be addressed in the future. It needs to be addressed now. It won't be addressed now. It probably will be addressed in the future, but it's going to be a problem.
00:36:46
Speaker
I'm so curious how like compared to other lines for people that have your kind of responsibility, like I know I'm being naive in saying this, but there's no way that they have a harder job than you do to just like keep up with what's coming ahead. It's like what's really going to change meaningfully in work comp or any other kind of product as fast as it would in cyber, right?
00:37:13
Speaker
Like as we talk about things like pixels and AI, how, how quickly do you feel carriers can respond to these kind of emerging risks or technologies that like chat GPT came like September, October last year. And then literally in three months, everything was AI. So it's like, how do, how do you even have time to respond? So.
00:37:43
Speaker
I have two answers. One, it's really tough. As tough as it sounds, there's nothing special that we're doing other than we got a lot of smart people who have a lot of eyes on a lot of things and everybody takes their piece. I will say that one of the values in being a large writer of cyber insurance is that when there is a claims trend,
00:38:12
Speaker
We do have, we usually are on the forefront of seeing that claims trend and then being able to respond to that. And we have an amazing claims team that we work with very, like underwriting and claims, we meet, I was gonna say we meet every week, but that's not true. We meet more than every week. Like we meet several times a week, different groups meeting on different issues because we realize that
00:38:40
Speaker
Claims data, the claims experience is so important to how we get ahead of things as an insurance company. That is sometimes the thing that really allows us to get ahead of a lot of these emerging trends. But we can't get ahead of them all. I mean, chat GPT, I don't know what's going to happen. I think there's like chat GPT, what's going to happen in the future? There are like a thousand threads you could follow up.
00:39:11
Speaker
um, claims, business processes. It's just, it's going to change our lives. It's going to change our business. It's going to change. I think everything we do in the next 10 years, sobering thought.
AI's Impact and Challenges
00:39:27
Speaker
Yeah. I mean, or exciting. It depends on how you, I guess you're sobering. On the one hand, I feel like, you know, I've, I, I, I have lived through the like,
00:39:40
Speaker
When I first started on using a computer, I was using a Macintosh Plus, and it was not connected to the internet, obviously. And working through the evolution of computers, internet, social media, now, whatever the heck we're in right now, it's just been amazing. And I worry that as I get older, I will not be able to keep up because there will be
00:40:08
Speaker
There's Gen Z, but then there's Gen Alpha that's coming next. And those kids, my son included, are growing up with tablets. And they're growing up with this technology. And to them, artificial intelligence is not going to be new or scary. It's just going to be a thing that exists in their world. In fact, I was yesterday at the dinner table, I was generating some photos, some headshots showing my wife how you can
00:40:38
Speaker
there's this app that you can upload your photos to, photos of yourself, and then you can have it create headshots. And the headshots look way better than like the photos that you give it. It kind of like spruces it up, makes you kind of look like the best version of yourself. But I was generating these images and I was showing it to my wife and my son's like, just saying like, generate more, generate like, show me more, show, like, as if this is just a thing that you can just like ask the computer to do more. And he'll do this to my wife, he'll say like,
00:41:08
Speaker
He's like, I want to see a picture of a teddy bear riding a train in Disney World. And it's like, if you wanted to see that when we were kids, you had to draw it. Like, it doesn't just something you can punch into a computer and get it to make it. But that's the world they live in now. And that's the world we're all going to be. That's the world we're all living in.
00:41:31
Speaker
That's the thing we're going to have to grapple with what exactly all that means in the future. Well, right now and in the future. Yeah. I think that the generate more thing kind of just hit a little bit because it's like you can get a billion different variations of the same like one input and a billion types of different outputs. Yeah, it's amazing. Another thing that I do with my son, I use chat GPT to read him bedtime stories.
00:42:01
Speaker
And I have this prompt that generates a choose your own adventure story. Because I love choose your own adventure stories. And so I have this prompt. And I'll say, what do you want the story to be about? And sometimes it'll be about something fun, like going skiing. Sometimes it'll be like I want to go get eggs and milk at the grocery store. And I'm like, all right, whatever. Like, chat GPT is going to write a story about it. And he lives in a world where you can just think up what you want a story to be about. And there is a computer that will generate a fun choose your own adventure story about that.
00:42:31
Speaker
That should be mind blowing, but I mean, it is mind blowing to me, but for him, that's just like, that's a random Tuesday night. And that's, I mean, that's the world we're living in now. That's a fantastic idea. I got, I have a three month old, so it'd be a little premature for me to start that. Cause he can't really tell me which direction he wants to go, but when he can make choices, I would, I'm going to try that. That's awesome. Yeah. I had to play around with it to get it, get the right prompt.
00:43:01
Speaker
But yeah, it comes up. Some stories are really good. Some stories are really bad. But to a five-year-old's mind, most of them are pretty good. So that's a lot of fun. And that's what we live in now. I can only imagine what things are going to be like in the future. It's crazy. It's crazy. So it's hard, in my opinion, it's kind of hard to
00:43:28
Speaker
to assess the difference between an emerging technology and the risk that it carries. So I think initially I look at these emerging technologies and I'm concerned about the risk that they carry, but I'm not sure that they necessarily do carry anything.
00:43:52
Speaker
take us through your thought process on AI or pixels or any kind of those emerging technologies and what are the risks associated there that people need to be thinking about as they either self-examine or they examine their clients like they're a broker or an underwriter examining a submission. Yeah, I think a lot of this remains to be seen. I think we're going to discover issues
00:44:22
Speaker
that we currently don't have sight of. And we don't know are out there. They're out there. We just don't know them. We just have no idea they're out there. One potential issue, I think, is bias in the outputs of artificial intelligence. I saw the headline. I didn't have a chance to read this, but I believe it was some New York regulator had just defined a company.
00:44:52
Speaker
for using artificial intelligence to screen applications for applications for employment. And as part of that screening for applications that the AI was doing, it happened to just like automatically reject people over a certain age. So it ended up being an age discrimination thing that this company just trying to do the best thing, use AI to screen applications, didn't realize that
00:45:19
Speaker
Um, in the AI's mind, everybody over like 50 was basically unqualified. And so, um, I think things like that are going to show up and that's all like, it's all because these AI things are basically black boxes. Uh, they need a lot more, they need a lot of testing to ensure that they're not biased, to ensure that they're not going to hallucinate facts. They're not going to, you know,
00:45:47
Speaker
analyze a resume and say, hey, this person would be really good for this job because they have X, Y, and Z attributes when they don't have those attributes at all. I think those are going to be some of the difficult issues that we have to deal with. And that's something for us to figure out for the rest of our careers, I think. This is going to be an issue that is not just going to go away with one quick silver bullet.
00:46:17
Speaker
Yeah. Well, I'm curious what your, your outlook on AI, is it a net? Like if we look back in 20 years, is this, is the, is your outlook going to be a net positive or a net negative? Oh, I think almost, almost certainly a net net positive. Um, I think we are going to see, um, like when we look back at it,
00:46:45
Speaker
I think we'll look back on the last 50 years. There will be the personal computing revolution that happened in the 90s. Then there will be the internet revolution, which happened in the early 2000s. Then there's going to be the smartphone revolution, which happened, I want to say 2007, 2008, when the iPhone was released. And then we're going to have the AI revolution, which is about 2023.
00:47:15
Speaker
I think those are the four revolutions. I think that's how we're going to look back at things when we look back 50 years. Like this is a pivotal moment. And this is when things started to change. And I think we're going to see a lot of good come out of this because there are a lot of really cool things that you can use LLMs like chat GPT to do that you can't justify paying someone to do.
00:47:45
Speaker
But if you could snap your fingers and have it done, chat GPT can do it and it's going to do it. And, um, we're going to get a lot of value out of that. And, and just, uh, just wait for the next one where, cause each AI is kind of operating in some silo, just wait till they can communicate with each other, which will be coming. So, uh, I think that would be profound AI teaching AI. Um, that, that could be insane.
00:48:14
Speaker
That is already something that we have to reorient. We have to rework our perspective because right now it's like, oh, you asked chat GPT to solve a problem. And then chat GPT solves it or gives you an answer. But what if there were a chat GPT that we're asking what questions we need to solve? And then what if you had a chat GPT that was coordinating that amongst other chat GPTs, other agents who are asking what questions to solve?
00:48:42
Speaker
If you use that kind of hierarchical system where you have GPTs, controlling GPTs, controlling GPTs, you start to think, this thing could really do a lot of very sophisticated work. And there's already some experimentation going on out there and some papers talking about that very thing. And it becomes scary to think about what you could accomplish with that. And I'll give you an example. I was playing around with this program.
00:49:12
Speaker
I can't remember its name, but you could basically give it, you run it on your computer and it pings chat GPT to ask it questions, but it's basically an agent that will put together, you know, ask chat GPT a question and then it'll think about it and then ask another question and then it'll like manage this process and the idea that for it is like to use it for creating businesses and figuring out, okay, like I wanna create a business,
00:49:42
Speaker
create a business plan, go create, you know, do market research, and it can do all these things. Was it baby AGI? Yeah, it might have been that. It might have been like one just like that. But yeah, I was like, come up with a cyber MGA idea. And like, it started googling and like figuring out how googling and it brought back information and started compiling like, here's the strategy, here's the business plan, here's the projected revenues. And then it got to a point where it's like, I need a Twitter handle.
00:50:11
Speaker
Let me go register a Twitter handle. Let me go start drafting tweets for like the first day launch. Okay. Stop, stop, stop, stop, stop. Um, we're, you know, that's what we're, and that was just like, you know, a beta or an alpha program. Um, so you go out to lunch and you come back and your chat GPT has, or your chat GPT, your G G your baby AGI has come up with a business plan has come up with some projected revenues. If I come up with a PowerPoint presentation,
00:50:41
Speaker
that you're going to give to VCs. It's drafted a social media program, and it's given you a list of people to hire on the first day. That's crazy. That would have taken somebody months to do, but you could just have this computer go out and do it. It's awesome. It's scary. That's the output. And then what if you created a
00:51:05
Speaker
chat or something to gather the inputs and then to be like, Hey, there's been, I've received over a million different in outputs from all these baby AGI type of businesses. And I've gathered that these are the two best ones or whatever. Exactly. Yeah. You could just be like, all right, well, I'm going to leave baby AGI running for overnight. And I'm going to just say, create 50 business plans for me, baby AGI, like 50 potential businesses, do your research, blah, blah, blah, blah, blah. And then you come back in the morning and you say,
00:51:35
Speaker
All right, chat GPT, I'm going to feed you 50 different business plans. I want you to evaluate and tell me which one's the best one. And like, okay, you could do that 50 times, but you could do that 100 times. You could do it like 5,000 times. And now it's like, well, what's really stopping me from like doing all of this crazy iteration on AGI?
Human Interaction in an AI World
00:51:58
Speaker
That's what I think is really kind of awesome and scary.
00:52:03
Speaker
consolidate economics further or meaning like monetary or does it just like become null? Like is the output input like does it get so big that it it just the final result is null and all that matters is that Ryan, Craig and Abe can have a conversation we want to just you know. That
00:52:31
Speaker
That is a thing that I think is going to, as we've seen this explosion of AI, every time you use a search engine in search, half your search results are written by AI. And you go in, you click in an article, and it's just like you're reading it, and you're like, this is a terrible article. This doesn't answer the question at all. But it serves some search engine optimization need to get me to go to this page and perhaps click on an ad while I'm there. And I think this is my prediction.
00:53:00
Speaker
that like authentic interactions are going to become king. So things like podcasts, podcasts are going to become king because it's still pretty difficult to like fake, not just the voice, like you could, you could fake the voice, you could fake my voice, you could fake all our voices, but AGI, GPT cannot have this type of interaction, I don't think. And that's why I think like things like YouTube, you ever want to like,
00:53:28
Speaker
find something out go to YouTube because you'll be able to figure out who is genuine when they're looking into the camera and they're telling you from experience you can evaluate that you can use your eyeballs to figure that out versus you see some text on the web and you know in all likelihood it's it's been generated by by I'm with you in that book Craig I think this is only gonna push
00:53:50
Speaker
the need for genuine relationships, it's going to push the emotional intelligence will become king. If you are superior in emotional intelligence, then I think it'll push what you do in life further. So I completely am in the same boat as you. I think that's where we'll end up is just really harboring and appreciating genuine conversation more.
00:54:23
Speaker
Yes, and genuinely valuing those relationships. People always say that insurance is a very relationshipy industry.
Reflections and Future Discussions
00:54:34
Speaker
And I agree, it is. But I think rather than harming the relationships or making it less relationship-driven, I think all of this AI stuff is going to push us back into even more relationship-driven
00:54:50
Speaker
business and I think that's ultimately a good thing because at the end of the day, nothing replaces human interaction. Not yet. I don't know if I want to be around that, whatever replaces that. Right. Exactly. I would be really upset if I found out that you guys were just AI representations and not real. That would really not make me happy.
00:55:21
Speaker
We got a lot to disclose then, don't we Abe? No, tell it. Say it's not so. Everything in my source code is saying lie, but I have to tell the truth. Oh, man. Well, they're very convincing fakes. Very convincing.
00:55:42
Speaker
I didn't expect to get so existential, but this has been a lot of fun. It has. We'll have to do a part two because I feel like there's so many things that we didn't get to cover that we could totally have. Probably like a 10-part Craig Linton series. We need to do hour two on applications.
00:56:09
Speaker
We'll see if the audience falls off an hour or two. But yeah, no, this has been really great. This has been a lot of fun and just chatting with you guys. Yeah, it's been, I hope other people find it fun as well.
Where to Find Craig Online
00:56:24
Speaker
I think they will. And so one place that people can find Craig if they want to continue the dialogue is in the InsureSec Discord group. So that's one option.
00:56:38
Speaker
Where else can they find you, Craig? I'm on LinkedIn. I mean, who isn't? I'm also on Mastodon. If you go to risk.social, I'm Craig at risk.social. And if everything I just said to you makes no sense whatsoever, Mastodon is a Twitter-like social network that doesn't have an algorithmic feed and you can
00:57:04
Speaker
Create your own server, just kind of like email, and then converse with other people. It's a lot of fun. It's gained a lot of traction in the InfoSec space. And so there's a lot of cybersecurity nerds on there. And that's one of the reasons I use it. But you can come join my instance and talk to everyone else. It's just risk.social. Or you can join any other instance and have a great time. It's like Twitter without the algorithmic feed. Love that. Nice. Like old school 2009 Twitter. I love that. Love it. Love it.
00:57:34
Speaker
Well, thanks, Greg. This has been one for the books. Thank you. Thanks for coming on. Great. Absolutely. Anytime.